Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 21:43
Static task
static1
Behavioral task
behavioral1
Sample
a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe
Resource
win7-20220414-en
General
-
Target
a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe
-
Size
450KB
-
MD5
09ce5265625b19b7da8de9cd3516caa2
-
SHA1
f7a3ce800949de5eed57cd5d0787a5d8b179ee1f
-
SHA256
a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200
-
SHA512
636a4cdda8a6599d50f138440a5277e9f2ad6b3b501d4774f96e6763cf50e67decdeee650d97e6534bb4138885a2455a60079f6974f943a34b766fce8f6d2550
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacK
93.181.219.38:5552
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ddddddddddddddddddddddd.exeNINOCHKA.exepid process 1988 ddddddddddddddddddddddd.exe 1524 NINOCHKA.exe -
Loads dropped DLL 4 IoCs
Processes:
a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exeddddddddddddddddddddddd.exepid process 2040 a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe 2040 a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe 2040 a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe 1988 ddddddddddddddddddddddd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
NINOCHKA.exepid process 1524 NINOCHKA.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
NINOCHKA.exedescription pid process Token: SeDebugPrivilege 1524 NINOCHKA.exe Token: 33 1524 NINOCHKA.exe Token: SeIncBasePriorityPrivilege 1524 NINOCHKA.exe Token: 33 1524 NINOCHKA.exe Token: SeIncBasePriorityPrivilege 1524 NINOCHKA.exe Token: 33 1524 NINOCHKA.exe Token: SeIncBasePriorityPrivilege 1524 NINOCHKA.exe Token: 33 1524 NINOCHKA.exe Token: SeIncBasePriorityPrivilege 1524 NINOCHKA.exe Token: 33 1524 NINOCHKA.exe Token: SeIncBasePriorityPrivilege 1524 NINOCHKA.exe Token: 33 1524 NINOCHKA.exe Token: SeIncBasePriorityPrivilege 1524 NINOCHKA.exe Token: 33 1524 NINOCHKA.exe Token: SeIncBasePriorityPrivilege 1524 NINOCHKA.exe Token: 33 1524 NINOCHKA.exe Token: SeIncBasePriorityPrivilege 1524 NINOCHKA.exe Token: 33 1524 NINOCHKA.exe Token: SeIncBasePriorityPrivilege 1524 NINOCHKA.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exeddddddddddddddddddddddd.exedescription pid process target process PID 2040 wrote to memory of 1988 2040 a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe ddddddddddddddddddddddd.exe PID 2040 wrote to memory of 1988 2040 a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe ddddddddddddddddddddddd.exe PID 2040 wrote to memory of 1988 2040 a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe ddddddddddddddddddddddd.exe PID 2040 wrote to memory of 1988 2040 a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe ddddddddddddddddddddddd.exe PID 1988 wrote to memory of 1524 1988 ddddddddddddddddddddddd.exe NINOCHKA.exe PID 1988 wrote to memory of 1524 1988 ddddddddddddddddddddddd.exe NINOCHKA.exe PID 1988 wrote to memory of 1524 1988 ddddddddddddddddddddddd.exe NINOCHKA.exe PID 1988 wrote to memory of 1524 1988 ddddddddddddddddddddddd.exe NINOCHKA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe"C:\Users\Admin\AppData\Local\Temp\a05ba3307eab357dec2c3647d079ab6c988c998e6dd065992aa8b677d9a30200.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\danya\Desktop\Гавно\ddddddddddddddddddddddd.exe"C:\Users\danya\Desktop\Гавно\ddddddddddddddddddddddd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NINOCHKA.exe"C:\Users\Admin\AppData\Local\Temp\NINOCHKA.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\NINOCHKA.exeFilesize
43KB
MD5236e1fc09c60c6b43e67b197df93e8ee
SHA15922e2d133d58070c7e2f8b48d02b65b3da669ba
SHA256168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006
SHA5128dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2
-
C:\Users\Admin\AppData\Local\Temp\NINOCHKA.exeFilesize
43KB
MD5236e1fc09c60c6b43e67b197df93e8ee
SHA15922e2d133d58070c7e2f8b48d02b65b3da669ba
SHA256168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006
SHA5128dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2
-
C:\Users\danya\Desktop\Гавно\ddddddddddddddddddddddd.exeFilesize
43KB
MD5236e1fc09c60c6b43e67b197df93e8ee
SHA15922e2d133d58070c7e2f8b48d02b65b3da669ba
SHA256168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006
SHA5128dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2
-
C:\Users\danya\Desktop\Гавно\ddddddddddddddddddddddd.exeFilesize
43KB
MD5236e1fc09c60c6b43e67b197df93e8ee
SHA15922e2d133d58070c7e2f8b48d02b65b3da669ba
SHA256168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006
SHA5128dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2
-
\Users\Admin\AppData\Local\Temp\NINOCHKA.exeFilesize
43KB
MD5236e1fc09c60c6b43e67b197df93e8ee
SHA15922e2d133d58070c7e2f8b48d02b65b3da669ba
SHA256168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006
SHA5128dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2
-
\Users\danya\Desktop\Гавно\ddddddddddddddddddddddd.exeFilesize
43KB
MD5236e1fc09c60c6b43e67b197df93e8ee
SHA15922e2d133d58070c7e2f8b48d02b65b3da669ba
SHA256168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006
SHA5128dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2
-
\Users\danya\Desktop\Гавно\ddddddddddddddddddddddd.exeFilesize
43KB
MD5236e1fc09c60c6b43e67b197df93e8ee
SHA15922e2d133d58070c7e2f8b48d02b65b3da669ba
SHA256168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006
SHA5128dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2
-
\Users\danya\Desktop\Гавно\ddddddddddddddddddddddd.exeFilesize
43KB
MD5236e1fc09c60c6b43e67b197df93e8ee
SHA15922e2d133d58070c7e2f8b48d02b65b3da669ba
SHA256168d04b8fc47a7254a0d9d4ad22e4d4f75fa4c8dc8bbb32ffe226f2c58775006
SHA5128dc5b04a6baec69c93d60b676028d30276e9afdc34297802411785cc4212b2169fbc96dc63f8a75c4f583a7ba4e7992e8e5724070b7ed964429ec51f0579f9f2
-
memory/1524-64-0x0000000000000000-mapping.dmp
-
memory/1524-67-0x0000000000F20000-0x0000000000F32000-memory.dmpFilesize
72KB
-
memory/1988-61-0x0000000000CB0000-0x0000000000CC2000-memory.dmpFilesize
72KB
-
memory/1988-58-0x0000000000000000-mapping.dmp
-
memory/2040-54-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB